It better be. The new Director of HHS/OCR and HIPAA Enforcement is on the lookout for noncompliance.
Threats to data security are nothing unusual today. But, what is different is HIPAA’s new head of enforcement who’s on the lookout for organizations that aren’t fully compliant with federal requirements. Even small organizations can be in big trouble for noncompliance—This is the message he’s sending.
The Office for Civil Rights (OCR) is the governing body for HIPAA violations, and Roger Severino is determined to take action as its incoming director. Since he started in March 2017, Severino said that he’ll be looking for ways to combat threats to personal information security.
Because HIPAA compliance continues to be challenging, with ongoing changes and complexities to regulations, Servino wants organizations to add a strong educational component to their cybersecurity plans.
The Expanding Requirements for EHR Usage
As the use of Electronic Health Records (EHR) expands, so do the requirements for how that data should be stored, transmitted and shared. Plus, as HIPAA legislation continues to evolve, and with new types of digital communication, this adds another level of complexity to the compliance picture.
HIPAA is meant to cover a variety of different situations, such as:
- Details on the type of information can be shared with next of kin in the event of a catastrophic accident or illness.
- How you access your personal medical records and those of your dependents.
- Those named to be your “voice” and speak on your behalf if you can’t communicate.
- A requirement for healthcare entities to have a compliance department where you can relay your concerns and have them addressed.
Since various computer systems are unique and don’t work together seamlessly, there are many potential points of failure that can set you up for noncompliance. This requires attention from security technology professionals who fully understand these challenges.
Interoperability is Crucial.
Security and privacy concerns continue to grow as cyber attacks become increasingly prevalent. To this end, government regulators are actively looking for ways to promote interoperability of systems through the use of open APIs (Application Programming Interfaces).
These specialized tools and subroutines can be well-secured and include high levels of encryption – which is ideal when sharing confidential personal information. They also provide another positive byproduct: Improved access for individuals to their personal healthcare information, something that continues to be a challenge.
Ongoing Education is Essential.
The federal government is focusing on providing healthcare entities the information and training needed to successfully implement security protections.
While risk assessment tools, security training games and a vast ocean of information is available to IT professionals in the healthcare field, it’s still difficult to stay on top of the ongoing changes in regulations.
In response to the ongoing need for more training, OCR has launched a video-training portal that provides organizations with the tools needed to maintain full HIPAA compliance. There are also several listservs that provide technology and business professionals with updates to HIPAA requirements and any identified vulnerabilities. Most or all of these tools are available free of charge, and some even offer the ability to earn free Continuing Medical Education (CME) credits.
Medical Devices and HIPAA
Medical devices are the latest in a long string of new technologies that present a potential for data breaches—They may pose a higher risk than other types of devices as they’re connected to secure hospital networks and other medical devices.
The depth of information available to a cyber attacker via a medical device is dizzying, as these gadgets gather incredibly personal information such as height, weight, blood pressure, heart rates and other critical information. Plus, the data is typically tied to personally identifiable information.
To limit the possibility of a cyber attack, hospitals, manufacturers and technology teams must work closely together to ensure these devices are introduced into a closed network and in a secure fashion. Unfortunately, this often means that the cost of the apparatus goes up due to the complexity of security required by government regulations.
The FDA is actively assessing medical devices as points of entry to cybercrime—And they’re developing a risk-assessment framework to ensure that threats to health information are mitigated.
As the federal government turns to organizations to increase their cybersecurity readiness, technology departments will continue to scramble to stay on top of the latest updates. The IT professionals at Apex can support your Central and Northern California organization through effective implementation of security protocols, and help you meet ever-changing HIPAA compliance regulations. Contact us for a free initial consultation at (800) 310-2739 or firstname.lastname@example.org.